Archives

Meta

Month: March 2018

So you are reading this guide because you either want to know about if eJPT is worth to take, or, to get some tips from the people who already passed the exam. Or maybe you are an absolute beginner, who asked /r/netsecstudents “Where do I start” and got a response about “go get eJPT”. I was in the same situation, and wanted to give some guide for my fellow beginners about eJPT course and exam.

From 2/18/2018 ~ 3/18/2018, I’ve studied and practice for eLearnSecurity’s Junior Penetration Tester course and certificate and passed it. I’ve put a total of 15 hours of studying and 10 hours of doing labs. It was pretty hard balancing around midterms, essays, projects, and quizzes, but I managed to consistently study it for a short amount of time every day.

In this review guide, I’ll go over..

What eJPT is

Who should take eJPT

Structure of the course, and the exam

Strategy to pass the exam

Is eJPT Worth It? (Money vs. Time)

Before starting the review, I’ll give a short introduction about myself. This is because when reading an exam review guide, it is extremely crucial to know the author’s background (is the author a security researcher who worked in a company for past 10 years? Or a college freshman kid who just started his journey?).

About me – background

Starting freshman majoring in Computing Security, had absolutely zero background in computing. Just an average joe. Typical freshman who got extremely mad when he found out he needs to take 4 general education course and 1 major-related course (am I a creative-writing major? or computing security major?).

What is eJPT course and certificate

eJPT is a Junior Penetration Tester course/certificate made by eLearnSecurity. Although frankly speaking eLearnSecurity is not big as some other companies and organizations such as Offensive Security or SANS, eLearnSecurity does have good reputation in the pentesting certificate field.

eJPT exam is not like other multiple-choice exam, it takes the OSCP route. People taking the exam is expected to perform a mock penetration test. That is, you actually need to connect to an internal network, perform your penetration testing, and provide any information the exam wants you to do so.

The eJPT course covers the very basic of prerequisites such as networking, HTTP protocols, little bit of programming.

After covering the prerequisites, it goes into the basic pentesting materials:

Information Gathering

Footprinting and Scanning

Vulnerability Assessment

Web application Attack

System Attacks

Network Attacks

While covering those topics, the course also introduces various tools, how the tools work, and why/how to use them. These tools are some of the popular tools; such as nmap, Burpsuite, dirbuster, nessus, John the Ripper, sqlmap, metasploit, and meterpreter.

Who should take eJPT

As the name of the certificate and the course says, eJPT is targeted towards the absolute beginners to pentesting. If you are a student (middle/high/university) interested in pentesting, this certificate is for you. Since eJPT will give you a crash course on networking such as TCP/IP, OSI layers, Switches and Routers, ARP, TCP/UDP, Firewalls, IDS, DNS, this is a great opportunity to learn some of the very basics of networking.

For non-students, if you were working in the IT field but want to transition into pentesting, eJPT will help you. However, you may find most of the course too easy for you. If you have any kind of pentesting experience before, eJPT might be too easy for you as well.

However, even for the non-beginners, I believe eJPT provides an unique experience of providing you with all of the basic knowledge of pentesting and networking in one course. eJPT might be a good opportunity to check and build your fundamentals again. For example, you might be popping off vulnhub boxes here and there, by doing the traditional nmap -> searchsploit -> metasploit + meterpreter way. Yeah sure you know how to use and configure tools here and there. But do you know what’s going under the hood? Or why you used specific exploit?

Are you able to understand what is actually going on? Which tools are doing what, based on which protocols? If not, going over the basics might be a good idea.

Structure of the Course and the Exam

The course contains of slides, videos, and hands-on lab.

My least favorite was the slides; You are presented with just raw presentation slides, which is not capable of putting in-depth information. But to be honest, eJPT is a beginner exam and since the course covers various topics with shallow depth, so it doesn’t really matter.

The videos will actually perform some of the attacks and tools that were mentioned in the slides. This is a great opportunity to actually see how to perform an attack, or use tools. The video is well paced and very informative.

The hands-on lab is probably my favorite part of the course. You’ll connect to a vpn network and actually get to attack the target machines. The only cons I found was that the lab was too similar to the videos (hence it was too easy), and the number of labs was really small, making practicing too hard.

For the exam, you are a pentester who is expect to perform a penetration testing to a fake company. Remember, this is not vulnhub or a CTF. The goal of the exam is NOT getting root. You will be asked to retrieve particular information in the web server, database, target machines, hidden files, and much more. For example, if you find a XSS vulnerability in one of the web server, you will have to provide how many you found, where you found the XSS vulnerability, rather it is a reflected XSS, persistent XSS, or whether the XSS uses GET or POST, etc.

I won’t give too much details about the exam, but I was connected to an internal network, which I was able to find and connect to other networks, found a web server and a database, couple of workstations to retrieve information.

Strategy to pass the exam

eJPT is a hand holding, beginners exam. It’s not supposed to be hard, so no complex strategy is required to pass. However, you do need to do your job.

Take notes: As in, open up a text editor of your choice or google docs, and take notes of the slides, videos, labs, and anything you learned. Remember, you are supposed to learn from eJPT. Exams and certificates is not the priority.

Do all the labs: Nothing to explain here. The labs are fun and informative. But don’t just mindlessly fire up tools and use them. Always think what you are doing, and why.

Review: Before taking the exam, do all the labs again, with a timer. Check your pace. Make sure what you are doing. Don’t just mindlessly type nmap -sV -v -A <target ip>. Make sure you know why you are performing a specific attack, or, using a specific tool. Why are you typing the stuffs you are typing now? What do you expect out of it?

So, is it worth it?

As any certificate in the security field, I believe eJPT is also the choice between money vs. time. Yes, the knowledge provided from the course is very very basic, and you could probably google all the information that eJPT provides within days. Yes, the exam is easy enough that if you can pop open some vulnhub boxes, you could probably pass the eJPT exam.

However, if you are a beginner, you are probably lost. You don’t know anything. You don’t even know where to start. People kept saying “dude google it”, but you don’t know where to look. Google spits out hundreds of thousands of documents, tutorials, blog posts. Too much information cause you confusion. You try to learn the concept of SQLi, but you need to go through 10 different blog posts, 3 different wargames, various online CTFs (which are way too hard for you), several youtube videos. Too much information from too many sources confuse you. Everything is scattered in bits and pieces, and you just feel like you are not getting the fundamentals right.

For some, this struggle itself is a great joy of learning. For me right now, self paced researching and studying is a great delight. But before I joined my current school, studied for eJPT, I was frustrated with all the information thrown at me. I wanted a complex, well organized, hands on, practical, beginner oriented program that I can sit down, study with concentration, get tested upon, and acquire a certification.

And that’s eJPT.

For $300 or $200 dollars, you are provided with an well organized, beginner focused pentesting course and exam that you can just sit down and dig in. eJPT will spoon feed you and hand hold you, but in my opinion, that’s fine, since you are a beginner. After you are spoon fed, after you are hand held, you can finally stand up and find your own way to learn more about in depth security.